Field of the Invention
The invention relates to the field of authentication systems and methods for physical access.
Related Art
Many organizations protect themselves with physical and logical access control systems (PACSs/LACSs) based on proximity cards, such as contactless access badges. Large enterprises with multiple sites often need to maintain multiple independent PACSs/LACSs for their different sites due to the complexity and cost to homogenize the information technology (IT) infrastructure or upgrade technology to a single solution.
Because the credential in the proximity card is static and unique and cannot depend on the context of use, a single card is prohibited from accessing more than one of these multiple sites or domains, each with an independent PACS/LACS and access points using different technologies. Access points may be contact or contactless door readers, wireless access points, Firewire, USB, smart card readers, mouse or keyboard, microphone, audio, video or any other contact interfaces on laptop or desktop terminals or kiosks. Consequently, employees of large corporations who travel to different sites or locations must carry multiple proximity cards or disregard provided access control means (e.g. act as visitors).
The proximity contactless card technology for access control is well known. A card reader installed at each specified doorway or entry point generates an electromagnetic field. The ensuing electromagnetic induction activates the antenna of each contactless proximity card entering the field to release a unique static identifier, authenticator or credential. The reader obtains this credential and forwards it to a central controller for validation and assessment of authorization. Upon notification of success, the card reader then gives access to the secure site, for example, by unlocking a door to a secure area.
In addition to the incapability to produce context dependent credentials, another limiting factor of the proximity contactless card is its restricted use to access points or door readers that require contact or contactless proximity interface such as ISO 7816, 125 kHz proximity, or ISO 14443. This constraint excludes other vicinity or medium range wireless protocols such as ISO 15693, 802.11, or Bluetooth, since the card itself does not have the necessary embedded power to implement those protocols.
There are security drawbacks with the use of current proximity card technology such as contactless proximity cards. The proximity cards do not offer self-protection against copying and stealing since the credential can be released without user consent when the card is not protected with a passive shield. Any proximity contactless field caused by a door reader or access point will cause the proximity card to release the credential. Therefore, a proximity card could possibly be simulated with a simple copy of the credential. Also, with multiple proximity cards per employee rather than one, the average number of lost or vulnerable cards is increased, which in turn increases the average amount of time that lost or stolen enterprise cards are in possession of attackers.
Digital badgeholders are interface devices for smart cards or badges. Digital badgeholders generally provide up to three communication interfaces: interface with cardholder such as PIN pad for smart card PIN entry, interface with the smart card or badge such as ISO 7816 contact interface, and interface with access points of the IT network for administration or proximity contactless usage. Existing digital badgeholder technology provides wireless or contactless communication that can simulate a contactless card. Document US 2006-0213982 A1 describes a portable biometric identification device with regular smart card capabilities. The device includes smart card read/write capabilities and transmission of electronic data protected in the smart card through a wireless interface. The document does not, however, describe how a single device can access multiple sites that each have a different PACS/LACS. Specifically, the application lacks the means to select and release the appropriate credential, with the appropriate interface protocol and policy according to the context of use.
Other known portable proximity contactless authentication devices for physical access consist of one single integrated device and include a security module to store the credentials, such as a SIM, a Smart Card, a SAM, or Mobile TPM, or a USB controller including a secure chip. Such devices are supporting either conversational contactless protocols such as 13.56 MHz ISO 14443A or B (e.g. MIFARE, or FIPS201 dual interface smart cards), or are based on non-conversational contactless protocols as for instance 125 kHz proximity cards. Non-conversational interface protocols are implemented with a reader that produces an electromagnetic field but remains uncommunicative and a portable device that broadcasts its credential as soon as the electromagnetic field is encountered. None of the above devices can provide context-dependent credentials with non-conversational readers such as proximity card readers.